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Abstract 

Research into active networking has provided the incen- 
tive to re-visit what has traditionally been classified as dis- 
tinct properties and characteristics of information transfer 
such as protocol versus service; at a more fundamental level 
this paper considers the blending of computation and com- 
munication by means of complexity. The specific service 
examined in this paper is network self-prediction enabled 
by Active Virtual Network Management Prediction. Com- 
putation/communication is analyzed via Kolmogorov Com- 
plexity. The result is a mechanism to understand and im- 
prove the performance of active networking and Active Vir- 
tual Network Management Prediction in particular. The 
Active Virtual Network Management Prediction mechanism 
allows information, in various states of algorithmic and 
static form, to be transported in the service of prediction 
for network management. The results are generally applica- 
ble to algorithmic transmission of information. Kolmogorov 
Complexity is used and experimentally validated as a theory 
describing the relationship among algorithmic compres- 
sion, complexity, and prediction accuracy within an active 
network. Finally, the paper concludes with a complexity- 
based framework for Information Assurance that attempts 
to take a holistic view of vulnerability analysis. 

Keywords: Active Virtual Network Management Pre- 
diction, Kolmogorov Complexity, Information Assurance 
and Active Networks. 

1. Introduction 

Kolmogorov Complexity {K{x)) is the optimal 
compression of string x. This incomputable, yet fundamen- 
tal property of information has vast implications in a wide 
range of applications including system management and op- 



timization [ |1 1| , h2], security [Q, [Tp, and bioinformatics. Ac- 
tive networks |^ form an ideal environment in which to 
study the effects of tradeoffs in algorithmic and static in- 
formation representation because an active packet is con- 
cerned with the efficient transport of both code and data. 
A question active network application developers must an- 
swer is: "How can I best leverage the capabilities that ac- 
tive networks have to offer?". Because the word "active" 
in active networks refers to the ability to dynamically move 
code and modify execution of components deep within the 
network, this typically leads to another question: "What 
is the optimal proportion of content for an active applica- 
tion that should be code versus data?". A method for ob- 
taining the answer to this question comes from direct ap- 
plication of Minimum Description Length (MDL) [16| to 
an active packet. Let be a binary string representing 
X. Let Hx be a hypothesis or model, in algorithmic form, 
that attempts to explain how x is formed. Later in this 
paper, we view as a predictor of x in the analysis of 
Active Virtual Network Management Prediction. For now 
let us focus on developing a measure of the complexity of 
X. MDL states that the sum of the length of the shortest 
encoding of a hypothesis about the model generating the 
string and the length of the shortest encoding of the string 
encoded by the hypothesis will estimate the Kolmogorov 
Complexity of string x, K{x) = K{Hx) + K{Dx\Hx). 
Note that error in the hypothesis or model must be com- 
pensated within the encoding. A small hypothesis with a 
large amount of error does not yield the smallest encoding, 
nor does an excessively large hypothesis with little or with 
no error. A method for determining K{x) can be viewed 
as separating randomness from non-randomness in x by 
"squeezing out" non-randomness, which is computable, and 
representing the non-randomness algorithmically. The ran- 
dom part of the string, i.e. the part remaining after all pat- 
tern has been removed, represents pure randomness, unpre- 



dictability, or simply, error. Thus, the goal is to minimize 
l{He) + l{Dx\He) + 1{E) where l{x) is the length of string 
X, He is the estimated hypothesis used to encode the string 
{Dx) and E is the error in the hypothesis. The more ac- 
curately the hypothesis describes string x and the shorter 
the hypothesis, the shorter the encoding of the string. A 
series of active packets carrying the same information are 
measured as shown in Figure |l|. Choosing an optimal pro- 
portion of code and data minimizes the packet length. The 
goal is to learn how to optimize the combination of com- 
munication and computation enabled by an active network. 
Clearly, if K{x) is estimated to be high for the transfer 
of a piece of information, then the benefit of having code 
within an active packet is minimal. On the other hand, if 
the complexity estimate is low, then there is great poten- 
tial benefit in including it in algorithmic form within the 
active packet. When this algorithmic information changes 
often and impacts low-level network devices, then active 
networking provides the best framework for implementing 
solutions (a specific example of separating non-randomness 
from randomness, although not explicitly stated as such, can 
be found in predictive mobility management as discussed in 
[0 |l5|]. However, the optimization of code/data or compu- 
tation/communication has an additional constraint, namely 
security. Complexity also plays a significant role in the 
analysis of potential vulnerability within a network as dis- 
cussed later in this paper. 
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Figure 1. Algorithmic Content. 

An active packet that has been reduced to the length of 
the best estimate of the Kolmogorov Complexity of the in- 
formation it transmits will be called the minimum size ac- 
tive packet. When the minimum size active packet is ex- 
ecuted to regenerate string x, the Dx\He portion of the 
packet predicts x using static data {E) to correct for inac- 
curacy in the estimated hypothesis. There are interesting 
relationships among Kolmogorov Complexity, prediction. 



compression and the Active Virtual Network Management 
Prediction (AVNMP) mechanism described in Details 
on the operation and mechanism of operation for AVNMP 
can be found in papers as early as [^. Space limitations 
in this paper preclude a detailed description of operation, 
however, an overview of the characteristics and properties 
of AVNMP as well as new experimental results are pre- 
sented and the relationships among complexity, predictabil- 
ity, and compressibility and information assurance are dis- 
cussed and experimentally validated throughout this paper. 
The next section provides an overview of AVNMP before 
discussing its relationship to Kolmogorov Complexity. Af- 
ter required relevant background on AVNMP is explained, 
the relationship to Complexity Theory is developed begin- 
ning from a high level overview, then driving down into de- 
tailed relationships and experimental results. 

2. Active Virtual Network Management Pre- 
diction Overview 

The Active Virtual Network Management Prediction 
(AVNMP)[i] architecture provides a network prediction ser- 
vice that utilizes the capability of active networking to inject 
fine-grained models into the communication network to en- 
hance network performance. Active Virtual Network Man- 
agement Prediction (AVNMP) provides a network predic- 
tion service designed to facilitate the management of large, 
complex, active networks in a proactive manner. Network 
management includes a wide variety of responsibilities in- 
cluding configuration, fault, performance, accounting, and 
security management. A network management system must 
be able to monitor, control, and report upon the status of 
all these areas. In addition, the network management sys- 
tem should be more than a tool to generate reports and help 
fix problems, it should have the capability to anticipate and 
correct problems before they impact network performance. 
AVNMP accomplishes prediction and fault anticipation us- 
ing a novel coupling of concepts from distributed simula- 
tion and active networking. A simple example demonstrat- 
ing AVNMP results on a single node for load prediction 
is shown in Figure |[ In today's management systems, a 
Management Information Base (MIB) maintains only cur- 
rent state values. In AVNMP, load is predicted into the 
future as real-time, called Wallclock, advances. Thus an- 
ticipated future values are available on the node as well as 
current values. In Figure ^ the Local Virtual Time (LVT) 
(future time), runs ahead of Wallclock Time (current time). 
Predicted load values are refined until Wallclock reaches 

'Current project progress and exp erimental code is maintained in 
^ttpV/www.crd.ge.com/'bushsf/ftn.Thii research! has been funded by tlie 
Defense Advanced Research Projects Agency (DARPA) contract F30602- 
Ol-C-0182 and managed by the Air Force Research Laboratory (AFRL) 
Information Directorate. 



the LVT of a particular value. This capability, described 
in detail in this paper, has been enabled by a new proac- 
tive network management framework combining three key 
enabling technologies; namely, distributed simulation, opti- 
mistic synchronization, and active networks. 

The predictive capability provided by AVNMP facilitates 
the development of a variety of predictive applications from 
mobile wireless location management and network secu- 
rity to improved QoS. AVNMP provides an ideal predic- 
tive service for mobile systems to predict their location [Ql. 
Because mobile location can be predicted, hand-off situa- 
tions are known ahead of time and setup for hand-off can 
take place prior to the hand-off event resulting in fast hand- 
off and improved QoS. In the domain of network security, 
AVNMP can anticipate the progress of an attack along most 
likely vulnerability paths and incorporate that information 
into decision-making. An attack can be propagated through 
the system before it actually occurs in order to determine 
its impact. In collaboration with the United States National 
Institute of Standards and Technology, AVNMP has been 
demonstrated with CPU prediction models showing the sys- 
tem's ability to detect malicious active packets. Combined 
with the load prediction capability of AVNMP, Denial-of- 
Service attacks that use either abnormal amounts of CPU 
time or large numbers of small CPU packets can be detected 
and stopped [|]]. With regards to QoS, the load applica- 
tion previously discussed allows resources and routing to 
be better managed by anticipating traffic in order to opti- 
mize load distribution within the network. A few additional 
selected uses for AVNMP are the ability to choose an opti- 
mum management polling interval that minimizes overhead 
based upon predicted rate of change and fault probability 
of the monitored data in a managed entity, fault correc- 
tion before the system is impacted and with time available 
to perform dynamic optimization of repair parts, service, 
and solution entities such as software agent or human co- 
ordination and optimal resource allocation and planning not 
only for load, but also for CPU utilization that becomes sig- 
nificant in active networks. AVNMP allows "What if...?" 
scenarios to become an integral part of the network and fi- 
nally, AVNMP-enhanced components are enabled with the 
ability to protect themselves by taking proactive, evasive ac- 
tion, such as migrating to safe hardware before anticipated 
disaster occurs. 

A severe limitation of state-of-the-art network manage- 
ment techniques is that they are inherently reactive. They 
attempt to isolate the problem and determine solutions after 
the problem has occurred. Proactive management is a nec- 
essary ingredient for managing future networks. Part of the 
proactive capability is provided by analyzing current perfor- 
mance and predicting future performance based on likely 
future events and the network's reaction to those events. 
This can be a highly dynamic, intensely computational op- 



eration. This has prevented management software from in- 
corporating prediction capabilities. But distributed simula- 
tion techniques take advantage of parallel processing of in- 
formation. If the management software can be distributed, it 
is possible to perform computation in parallel and aggregate 
the results to minimize computation overhead at each of the 
network nodes. The usefulness of optimistic techniques has 
been well documented for improving the efficiency of sim- 
ulations. In optimistic logical process synchronization tech- 
niques, also known as Time Warp causality can be re- 
laxed in order to trade model fidelity for speed. If the system 
that is being simulated can be queried in real time, predic- 
tion accuracy can be verified and measures taken to keep 
the simulation in line with actual performance. AVNMP 
is implemented in an active network to provide predictive 
management of an active network. AVNMP is designed to 
utilize the additional processing and flexibility of an active 
network to provide better management of the added com- 
plexity in processing and bandwidth in an active network. 
AVNMP requires extreme network flexibility, primarily in 
the ability to inject fine-grained component models into the 
network. A much less flexible version of AVNMP could be 
implemented in legacy systems by building dedicated net- 
work component models directly into legacy network de- 
vices such as today's routers. However, these models would 
be immobile and not easily updated or removed, most likely 
requiring the network device to be taken down when mod- 
els are changed or updated. A better mechanism for using 
AVNMP to manage legacy networks would be to provide an 
active network overlay capable of monitoring legacy nodes. 
AVNMP should reside in the active network overlay provid- 
ing a predictive management service for the legacy network. 
This has the added benefit of transitioning a legacy network 
to an active network. 

AVNMP, injected into the network as an active applica- 
tion, is capable of modeling load and propagating state in- 
formation in a manner that meets the demand for accuracy 
at a particular active node. Greater demand for prediction 
accuracy is met at the cost of AVNMP performance, that 
is, the ability of AVNMP to predict farther into the future. 
While this paper focuses on network traffic and load pre- 
diction, an AVNMP application to predict CPU utilization 
for active network in collaboration with National Institute 
of Standards and Technology H, |]| has been demon- 
strated. The inherently distributed nature of communication 
networks and the computational power unleashed by the ac- 
tive networking paradigm have been used to mutual benefit 
in the development of the Active Virtual Network Manage- 
ment Prediction mechanism. The active network benefits 
from AVNMP by continuously receiving information about 
potential problems before they occur 

AVNMP benefits from the active network in many ways. 
The first, and most practical way is the ease of develop- 




Figure 2. Convergence of Prediction and Reality in thie AVNIVIP State Queue. 



ment and deployment of this novel prediction mechanism. 
This could not have been accomplished so quickly or easily 
given today's closed, proprietary network device process- 
ing. Another benefit is the fact that network packets now 
have the unprecedented ability to control their own process- 
ing. Great advantage was taken of this new capability in 
AVNMP. Virtual messages, varying widely in content and 
processing, can adjust their predicted values as they travel 
through the network. Finally, active networks add a level of 
robustness that cannot be found in today's networks. This 
robustness is due to the ability of AVNMP system compo- 
nents, which are active packets, to easily migrate from one 
node to another in the event of failure -or the prediction of 
failure provided by AVNMP itself. 

The desired characteristics of AVNMP are a large looka- 
head time, high prediction accuracy, low overhead and ro- 
bust operation. Each of these characteristics is inter-related 
and a suitable tradeoff needs to be determined during con- 
figuration of the system. The AVNMP experimental valida- 
tion configuration for the initial test discussed in this paper 
is a feed forward network consisting of a host containing the 
Driving Process and four intermediate active network nodes 
containing Logical Processes as shown in Figure ||. AH-1 
and AH-2 are host nodes and AN-1 through AN-5 are ac- 
tive network nodes. The edges between the nodes represent 
links between the labeled ports on each node. All nodes are 



Sun Spares running the Magician active network execution 
environment. The AVNMP system parameters were con- 
figured as shown in Table |l| In this experiment AVNMP 
is predicting the packet input and output rate for each link 
at each node, from an application residing on AH-1 that is 
transmitting an active audio packets. 

The State Queue plot. Figure ^ shows the predicted traf- 
fic load values cached in the State Queue as a function of 
Local Virtual Time (LVT) and Wallclock. As Wallclock ap- 
proaches any given Local Virtual Time, the predicted load 
values converge towards the actual load. The dashed line 
placed diagonally across the surface highlights where pre- 
dicted time and actual time converge. The general operation 
is illustrated in the next five graphs where all measurements, 
unless otherwise indicated, are from node AN-4. These 
curves validate intuitive trends in the operation of AVNMP. 
Figure ^ shows the reduction in tolerance versus time that is 
pre-programmed into each Logical Process. The Y-axis is 
the tolerance that is demanded between the predicted value 
and the actual value of an Simple Network Management 
Protocol (SNMP) packet counter. This value is decreased 
purposely in this experiment in order to create a greater de- 
mand over time for accuracy and thus create a challenging 
validation of the AVNMP system under gradually increas- 
ing stress. In Figure |] the proportion of out-of-tolerance 
messages is shown as a function of Wallclock. The Y-axis 




Figure 3. AVNMP Test Configuration. 



Parameter 


Value 


Sliding Window Lookahead Length (A) 


200 seconds 


Virtual Message Generation Rate 


0.5 virtual messages/millisecond 


Virtual Message Prediction Step Size 


20 seconds 


Tolerance for Prediction Error (6) 


500 Messages/second 


Virtual Real Message Ratio 


1 virtual/real message 


Load Hypothesis (He) 


Linear Extrapolation 



Table 1. AVNIUIP Test Parameters. 



is the proportion of messages that arrived at a specific node 
out of tolerance, that is, the actual value exceeded the pre- 
dicted value by an amount greater than the tolerance setting. 
As Wallclock progresses, the tolerance is purposely reduced 
causing a greater likelihood of messages exceeding the tol- 
erance. This is done in order to validate the performance 
of the system as stress, in the form of greater demand for 
accuracy, is increased. Figure ^ shows the prediction er- 
ror as a function of Wallclock. The Y-axis is the differ- 
ence in the number of packets received versus the number 
of packets predicted to have been received. This graph ver- 
ifies that the system is producing more accurate predictions 
as the demand for accuracy increases. However, the Y-axis 
of Figure shows the lookahead decreasing versus Wall- 
clock. The expected lookahead time is the difference be- 
tween Wallclock and the Local Virtual Time at a particular 
node. The demand for greater accuracy reduces the distance 
into the future that the system can predict. Finally, in Figure 



^ speedup, the ratio of virtual time to Wallclock of the real 
system, is shown as a function of Wallclock. The speedup is 
reduced as the demand for accuracy is increased. As previ- 
ously mentioned, only for purposes of this experiment, the 
tolerance is being reduced as Wallclock progresses, causing 
the accuracy to increase while loosing performance in terms 
of speedup and lookahead. 

2.1. AVNMP Overhead 

AVNMP has the potential to generate two forms of over- 
head, processing overhead and bandwidth overhead. If the 
predicted results are within the user specified error toler- 
ance and the user fully utilizes the predicted results, then 
overhead is at a minimum. The question of overhead versus 
benefit becomes one that depends upon the perceived util- 
ity of predictive capability and depends significantly upon 
the manner and application in which it is used. It is the au- 
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Figure 4. Tolerance Setting Decreases as Wallclock Increases Thus Demanding Greater Accuracy. 



thor's belief that load and processing prediction are of par- 
ticularly great importance in an active network where rout- 
ing is based upon not only load, but the processing capabil- 
ity required by active applications. In this section, the load 
prediction application example is continued with overhead 
results displayed in terms of processing time and number of 
packets transmitted. The expected Active Network Encap- 
sulation Protocol (ANEP) [Q] packet size measured during 
this test was 1000 bytes. 

2.1.1 Task Execution Time and Message Overliead 

The task execution time is the Wallclock time the system 
spends executing a non-rollback message. It was expected 
that task execution time would be essentially constant; how- 
ever, it increases in direct proportion to the number of roll- 
backs as shown in Figure |. This is caused by the lack of 
fossil collection. The increase in the number of values in 
the State Queue is causing access of the State Queue and 
Management Information Base (MIB) to slow in proportion 
to the queue size. Figure |l^ displays the number of virtual 
messages versus Wallclock and Figure [ll| displays the to- 
tal number of anti-messages. This is expected to increase 
over time. This value is reset every time the tolerance is 
tightened (every 5 minutes in this case). 

2.2. AVNMP Robustness 

AVNMP is both an active application and an applica- 
tion whose purpose is to provide predictive management 



of other active applications. As a management applica- 
tion it must be robust in the presence of a failing environ- 
ment. So far, it has shown to provide graceful predictive 
degradation in the presence of dropped packets and bro- 
ken links. AVNMP consists of two main types of active 
packets: AvnmpLP, which is the Logical Process, and Avn- 
mpPacket, which is the virtual message. If an AvnmpLP 
packet is dropped, the destination node will not have the 
capability to work forward in time or forward virtual mes- 
sages. Thus, AVNMP features will not be available on the 
node for which AvnmpLP was destined and the accuracy of 
other nodes may be reduced. If an AvnmpPacket is dropped 
or unexpectedly delayed, accuracy will be reduced because 
the State Queues of downstream nodes will lack a predicted 
value. However, AVNMP will continue to operate with de- 
graded performance. In the next section the role of com- 
plexity in understanding prediction is discussed. Ideally, of 
course, AVNMP should have predicted the error condition 
and taken action to mitigate it. However, control mecha- 
nisms have not yet been implemented. 

2.3. Networking Viewed Through the Lens of Com- 
plexity 

AVNMP can provide early warning of potential prob- 
lems; however, the identification of a solution and mar- 
shaling of automated solution entities within an active net- 
work has not yet been fully addressed. This project has 
begun to lay the groundwork for such automated compo- 
sition of management solutions within an active network 
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Figure 5. Demand for Greater Accuracy Causes the Proportion of Out-of-Tolerance lUlessages to 
Increase. 



[0. This direction is being carried forward by exploration 
of a relatively unexplored area -understanding the benefits 
of active networking. Algorithmic Information Theory, and 
its close companion. Complexity Theory. To our knowl- 
edge, this work is the first to propose and begin inves- 
tigation into the newly available processing power of ac- 
tive networking through the concept of Complexity and Al- 
gorithmic Information ("Streptichrons") as shown in Fig- 
ure |l2[ Legacy networks, which are today's passive net- 
works, have been designed to optimize transmission of pas- 
sive data using bit compression based upon the underlying 
notion of Shannon Entropy. AVNMP has shown that ac- 
tive networks allow for the possibility of executable mod- 
els and that the corresponding information packets might 
be best studied with Kolmogorov Complexity as the un- 
derlying theory. It is serendipitous that Complexity Theory 
has been receiving more attention lately and is making sig- 
nificant theoretical progress at the same time that research 
into active networking is taking place. Active networks 
provide a new paradigm and enhanced capabilities, which, 
when combined with ideas from Algorithmic Information 
Theory [[l4||, might lead to superior, innovative solutions to 
problems of network management. One possible approach 
proposes to combine Kolmogorov Complexity with the sci- 
ence of Algorithmic Information Theory (sometimes called 
Complexity Theory) to build self-managed networks that 
draw on fundamental properties of information to identify, 
analyze, and correct faults, as well as security vulnerabili- 
ties, in a distributed information system [ pi] , p^ . Specif- 
ically, we suspect that complexity measures can be used 
to detect and analyze problems in a network, and to facili- 



tate techniques to remedy network faults. We also envision 
that Kolmogorov Complexity can be applied directly to im- 
prove the performance of AVNMP. In general, complexity is 
not computable; however, the bounds on complexity tighten 
continuously as fundamental research in Kolmogorov Com- 
plexity progresses. 

One potential drawback to AVNMP, gently pointed out 
earlier in this paper, is the fact that AVNMP itself consumes 
resources in an effort to predict resource usage in a net- 
work. Resource consumption by AVNMP is tied directly 
to accuracy: higher accuracy costs more in terms of band- 
width utilization, associated with simulation rollbacks and 
the concomitant transmission of anti-messages. Despite this 
relationship, potential exists to nearly reach the theoretical 
minimum amount of bandwidth to achieve maximal model 
accuracy. This possibility arises because AVNMP consists 
of many small, distributed models (each a description of a 
theory) that work together in an optimistic, distributed man- 
ner via message passing (data). Each AVNMP model can be 
transferred, using an active network, as a Streptichron [Q], 
which is any message that contains an executable model in 
addition to data for prediction. Using Streptichrons, the op- 
timal mix of data and model can be transmitted to imple- 
ment MDL. Achieving maximal model accuracy at minimal 
bandwidth provides the best AVNMP accuracy at the least 
cost in AVNMP resource consumption. 

Other possibilities exist to exploit Kolmogorov Com- 
plexity to improve AVNMP performance. For example, one 
can apply the MDL technique to the rollback frequency of 
all the AVNMP enhanced nodes in a network. A low roll- 
back complexity (which suggests a high compressibility in 
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Figure 6. Predictions Become IVIore Accurate. 



the observed data) would indicate patterns in the rollback 
behavior that could be corrected relatively easily by tuning 
AVNMP parameters. High complexity (low compressibil- 
ity) would indicate the lack of any computable patterns, and 
would suggest that little performance improvement could 
be achieved by simply tuning parameters. Thus, we hy- 
pothesize that our tuning gradient should be guided toward 
regions of high complexity, which suggests that we can tune 
parameters to improve the rollback frequency. The next sec- 
tion focuses upon experimental results relating prediction to 
complexity gathered from the operation of the AVNMP sys- 
tem. 

2.4. AVNMP and Kolmogorov Complexity 

In AVNMP, information that impacts the network is 
transmitted based upon prediction at a low level within the 
network. Thus, AVNMP allows experimentation in defin- 
ing the boundaries within which active networking is bene- 
ficial. In Figure |lj an active and passive form of AVNMP 
is represented. The passive case is represented in the up- 
per portion of the figure. In the passive case, actual data 
(Dx) is observed at the Driving Process. Note that in the 
AVNMP architecture. Driving Processes exist at the edge 
of the system. They monitor external forces acting upon the 
system, such as load, and generate virtual messages, which 
are a short-term local prediction about a specific property 
such as input load, that are injected into the AVNMP sys- 
tem. The Driving Process has a hypothesis that has been 
formed about the data; predicted data (Dy) is generated in 
the form of static virtual messages. The term static indi- 



cates that information content within the message contains 
no executable code. The virtual messages are propagated 
through the network driving the the system ahead of Wall- 
clock. When error in the hypothesis exceeds a preset thresh- 
old, AVNMP causes rollbacks to occur in order to adjust for 
the inaccuracy. In the lower portion of Figure [ij, the hy- 
pothesis is included within each packet and is used to en- 
code Dy within the code portion of the active packet. 

What is the relationship between the estimated operating 
hypothesis (Hg) that can encode an AVNMP packet and 
as the predictor in the Driving Processes? First, they are the 
same hypothesis. Second, it has been shown [ jl4| | that the 
shorter the packet, the better the predictor. Conversely, the 
worse the prediction, the longer the E value, where E can 
be considered any of the following equivalent names: error, 
complexity, or randomness within the AVNMP packet en- 
coding. Can Active Virtual Network Management Predic- 
tion benefit from the fact that the smallest algorithmic form 
is also the most likely predictor of a sequence? This can 
come about because Driving Processes and Streptichrons 
(active virtual messages anticipating events in the future) 
benefit by being both small and accurate as shown in Figure 
p4[ The objective is to increase the rate of convergence of 
the predictions held within the State Queue to converge to 
the actual value that will occur in the future, and to converge 
to that value before it actually exists. Actual and predicted 
values within a particular instance of a State Queue were 
shown in Figure ^. Let us examine AVNMP results in light 
of complexity in more detail in the next section. 
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Figure 7. ...at the Expense of Lookahead... 



2.5. Load Prediction And Complexity In Active Vir- 
tual Network Management Prediction 

With regard to active packets and information theory, 
passive data is simple Shannon compressed data, and active 
packets are a combination of data and program code whose 
efficiency can be estimated by means of Kolmogorov Com- 
plexity. The active network Kolmogorov Complexity esti- 
mator is currently implemented as a quick and simple com- 
pression estimation method. It returns an estimate of the 
smallest compressed size of a string. It is based upon com- 
puting the entropy of the weight of ones in a string. Specif- 
ically it is defined in Equation |l] where x=ffl is the number 
of 1 bits and is the number of bits in the string whose 
complexity is to be determined. Entropy is defined in Equa- 
tion^. See [|l for other measures of empirical entropy and 
their relationship to Kolmogorov Complexity. The expected 
complexity is asymptotically related to entropy as shown in 
Equation [ 



K{x) = l{x)H{- 



^x#l+xifO' 
H{p) = -plog2P - (1.0 -p)log2(1.0 -p) 

H{X)^ P{X^x)K(x) 

l(^x)—n 



(1) 

(2) 
(3) 



Load prediction data sampled from execution of 
AVNMP is analyzed relative to several hypotheses. The 
goal is to use a simple example to demonstrate the relation- 
ship among accuracy of hypotheses, complexity, and com- 
pression. The initial hypothesis (He) (regardless of naivete 
in choice of hypothesis) is that the data can be characterized 



by a simple linear extrapolation based upon the last sam- 
pled load values. This is shown in Figure jlj where the gray 
boxes are actual load samples and the black stars are pre- 
dicted load samples. Note that the predicted load is based 
upon a short history shown in the graph as the initial match 
between predicted and actual load. 

Various enhancements are added to the initial hypothesis 
to create new hypotheses for our test. In this specific case, 
a running average was used to smooth the data before the 
extrapolation. The size of the running average defines a hy- 
pothesis. Each enhancement is considered a new hypothesis 
(He) in this experiment. In Figure [l^, for each He the sum 
of the error in predictions is graphed as the gray boxes in 
the lower portion of the graph. The compressed size of the 
corresponding error is plotted as the black stars in the upper 
portion of the figure. Clearly a better hypothesis concern- 
ing the origination of the data results in better prediction and 
greater compression, while poor hypotheses result in inac- 
curate prediction and reduced compression. This provides a 
concrete demonstration of the relation between complexity 
and prediction accuracy. 

A key contribution presented in this paper is the hypothe- 
sis and supporting experimental validation that greater com- 
plexity results in greater prediction error, and thus greater 
likelihood of AVNMP rollback. Load prediction error from 
AN-1 (see the experimental configuration shown in Figure 
H) within the network is compared with the estimated com- 
plexity of the actual load. In Figure |l7| the load predic- 
tion error is plotted with the estimated complexity versus 
Wallclock where values are taken over intervals of the same 
length as the Sliding Lookahead Window shown in Table |l| 
Larger error, and thus more likely rollback, occurs during 
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periods of relatively high complexity, while complexity is 
low during periods of low prediction error. 

As predictions become more inaccurate in AVNMP, vir- 
tual messages should slow down, rather than burden the 
system with potential rollbacks. Poorly predicted messages 
will naturally be larger in their minimum size, which slows 
down their rate of propagation in proportion to their inaccu- 
racy. 

Another issue concerns a mechanism for feedback to the 
Driving Process in order to improve He- Such a feedback 
mechanism can be based upon input from the complexity 
estimate, or minimum encoded packet size, of vutual mes- 
sages. The hypothesis is adjusted in a manner that drives the 
system towards minimizing encoded virtual message size. 

3. Complexity and Assurance 

Complexity is useful not only for management predic- 
tion and active packet length optimization, but also for secu- 
rity. The vulnerability analysis technique presented in this 
section takes into account the innovation of an attacker. A 
metric for innovation is not new; 700 years ago William 
of Occam suggested a technique [|l0|]. The salient point of 
Occam's Razor and complexity-based vulnerability analy- 
sis is that the better one understands a phenomenon, the 
more concisely the phenomenon can be described. This 
is the essence of the goal of science: to develop theories 
that require a minimal amount of information to be fully 
described. Ideally, all the knowledge required to describe a 
phenomenon can be algorithmically contained in formulae. 



and formulae that are larger than necessary lack of a full 
understanding of the phenomenon. Consider an attacker as 
a scientist trying to learn more about his environment, that 
is, the target system. Parasitic computing [|l]| is a literal 
example of a scientist studying the operation of a commu- 
nication network and utilizing it to his advantage in an un- 
intended manner. In Parasitic computing, checksums, addi- 
tional overhead supposedly designed to insure the integrity 
of the information, are turned against the system and used 
to the attacker's advantage. In fact, because information as- 
surance safeguard developers do not yet have a comprehen- 
sive conceptual framework in which to evaluate the effec- 
tiveness of their safeguards individually or as composites of 
safeguards, such scenes are unfortunately all too common. 
Safeguard designers must be able to capture and quantify 
the mechanism by which an attacker as scientist generates 
hypotheses and theorems about a system under attack. The- 
orems are attempts to increase understanding of a system 
by assigning a cause to an event, rather than assuming all 
events are randomly generated. If theorem x, described in 
bits, is of length l{x), then a theorem of length l{m), where 
l{m) is much less than l{x), is not only much more com- 
pact, but also 2'(^)~'(™' times more likely to be the actual 
cause than pure chance [[lo|. Thus, the more compactly a 
theorem can be stated, the more likely the theorem is to be 
correct. A measure of this compactness is described and 
utilized in more detail later in this paper 

Imagine a vulnerability identification process that con- 
sists of the following: waiting for an information system 
to be attacked, then, assuming it survives and one can de- 
tect the attack, analyzing the attack, and if the information 
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Figure 9. Expected Task Execution Time as a Function of Wallclocl<. 



system is still not compromised, adding this information to 
one's knowledge base. This technique would be unaccept- 
able to most people, but it is essentially the technique used 
today. Information assurance, and vulnerability analysis in 
particular, are hard problems primarily because they involve 
the application of the scientific method by a defender to de- 
termine a means of evaluating and thwarting the scientific 
method applied by an attacker This self-reference of sci- 
entific methods would seem to imply a non-halting cycle 
of hypothesis and experimental validation being applied by 
both offensive and defensive entities, each affecting the op- 
eration of the other. Information assurance depends upon 
the ability to discover the relationships governing this cycle 
and then quantifying and measuring the progress made by 
both an attacker and defender. The salient factor controlling 
the paths taken by attacker and defender are governed by 
the complexity of the system. Whether such properties are 
measurable and how they will behave in a complex system 
is a topic of open debate. However, a metric and frame- 
work are required for quantifying information assurance in 
such an environment of escalating knowledge and innova- 
tion. Progress in vulnerability analysis and information as- 
surance research cannot proceed without fundamental met- 
rics. The metrics should identify and quantify fundamental 
characteristics of information in order to guarantee assur- 
ance. 

A fundamental definition of vulnerability analysis is for- 
mulated in this paper based upon attacker and defender as 
reasoning entities, capable of innovation. Truly innovative 
implementations of attack and defense lead to the evolution 
of complexity in an information system. Understanding the 
evolution of complexity in a system enables a better under- 



standing of where to measure and how to quantify vulnera- 
bility and leads towards a calculus of information complex- 
ity. The design and implementation of a complexity-based 
vulnerability analysis technique is under development as a 
tool for automated measurement of information assurance. 
The motivation for complexity-based vulnerability analysis 
comes from the fact that complexity is a fundamental prop- 
erty of information and can be ubiquitously applied. The 
presentation and analysis of the Kolmogorov Complexity- 
based vulnerability analysis framework must accomplish 
several goals. As initially stated, the vulnerability analysis 
technique must demonstrate the ability to account for the 
innovation of an attacker The technique should be based 
upon fundamental properties of information, rather than 
suffer from the combinatorial explosion that occurs when 
explicitly examining all possible events generated by spe- 
cific systems. The vulnerability results should make intu- 
itive sense; vulnerability is reduced by increasing the appar- 
ent complexity of access to information from potential at- 
tackers while increasing vulnerability for less complicated, 
or in some sense shortest paths of access to information. 
A topological view of vulnerability can be demonstrated. 
This is demonstrated by means of a Kolmogorov Complex- 
ity Map (K-Map) in which low complexity paths, which are 
likely to be easy for an attacker to follow, are identified. The 
concept of a K-Map, or complexity grid, is shown in Figure 
|l8| and the K-Map for a specific example is derived later in 
this paper and shown in Figure Figure |l8| may itself ap- 
pear quite complex upon first glance; however, focus upon 
individual parts of the figure in a logical progression. Begin 
with the information to be protected that lies at the bottom 
of Figure llSl Attacks are illustrated as the thin downward- 
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Figure 10. Number of Virtual IVIessages versus Wallcloclc. 



pointing arrows attempting to penetrate the system in order 
to manipulate the information. Numerous safeguards, sup- 
posedly designed to protect the information, each designed 
to mitigate particular types of attack, are shown as barri- 
ers with various levels of porosity inserted across the mid- 
dle of the figure. The overall complexity of the system is 
illustrated by the surface contour located above the infor- 
mation and safeguards and is comprised of the complexity 
of several entities, namely: the information itself, the com- 
plexity of the system in which the information resides and 
the complexity of the safeguards. Innovative attacks will 
be more hkely to successfully penetrate areas of low com- 
plexity, easier to comprehend components of the system. In 
addition, specific types of attacks, such as Distributed De- 
nial of Service (DDoS) will appear as warps in the com- 
plexity grid. This is due the inherent system correlation in 
DDoS attack-streams. The vulnerability analysis technique 
should be applicable in a highly dynamic and amorphous 
information environment; an active network environment is 
chosen because information can be transmitted through an 
active network while its proportion of algorithmic content 
varies. In other words, static data or executable code or var- 
ious combinations of both can represent information; both 
forms of information should have high assurance. The as- 
surance of their interaction at a low level within an active 
network presents a nice challenge. 

Kolmogorov Complexity provides a measure of com- 
plexity that can be utilized for vulnerability analysis. Ob- 
serve an input sequence at the bit-level and concatenate with 
an output sequence at the bit-level. This input/output con- 
catenation is observed for either the entire system or for 
components of the system. Low complexity input/output 



observations quantify the ease of understanding by a poten- 
tial attacker Previous work has demonstrated the use of 
Kolmogorov Complexity for Distributed Denial of Service 
(DDoS) attack detection [|l3|]. Definition 1 explicitly states 
the means of measuring the complexity of a system compo- 
nent, or protocol interaction, to a potential attacker 

Definition 1: Vulnerability Metric Vulnerabihty 

is inversely proportional to K{x[opstart : 
opend])/l{x[opstart : opend]) where opstart is 
the bit at which an operation to be discovered within 
an information system begins, and opend is the last 
bit in an attacker's observation. 

In the remainder of the paper, excerpts from a Mathe- 
matica Notebook are included. The excerpts contain code 
using common mathematical and programming constructs 
and therefore should be intuitively obvious without requir- 
ing knowledge specific to Mathematica; any Mathematica 
specific details are explained in the text. As a specific ex- 
ample of the algorithmic capabilities of active networks, 
consider the transmission of an estimate of tt. One could 
choose to send tt as an extremely large number of digits; 
in contrast, one could send a smaller algorithm capable of 
generating tt to an arbitrary number of digits. Consider an 
illustration of this concept in more detail. The Mathemat- 
ica code, {{#l/#2&}}, {22., 7.}}, represents an unnamed 
function that divides the first argument by the second ar- 
gument; the function implements 22/7. Consider that the 
function ({{#l/#2&}}) and the data ({22., 7.}) remain 
unevaluated and are transmitted together This represents an 
active packet; it contains part code and part data. The RUN 
function evaluates the function and returns the result; the 
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Figure 11. Number of Anti-Messages versus Wallcloclc. 



result in this case is static data, a legacy data packet. Math- 
ematica code that analyzes the characteristics of algorithmic 
and passive information transmission is shown in Figure 
The active packet is defined as {{#l/#2&}}, {22., 7.}}, 
which contains a pair of values and the code necessary to 
perform division. The legacy, or passive packet, is defined 
as i?[/iV{{#l/#2&}},{22.,7.}}, which pre-computes 
the result of the division and transmits the same informa- 
tion in non-algorithmic form. The argument defined as 
{{1, 2,3,4}, {4, 3, 2, 1}} identifies the links traversed by 
the active and passive packets respectively. In this case, 
the first packet begins by crossing link one and the second 
packet begins by crossing link four. The argument defined 
as {100, 100, 1000, 1000} indicates link capacities for Hnks 
one, two, three, and four Thus, the first packet transmits 
both code and data that generates the intended information, 
while the second packet transmits raw data only. The re- 
sult of executing the function below is load and processing 
time spent on each link and node for each packet. In Fig- 
ure the load induced by sending the estimate of tt using 
AnetSim in Figure ^ is plotted for each link. Clearly, the 
algorithmic representation of the information is more com- 
pact and used less link capacity. In fact, this reinforces the 
fact that, by knowing how to compute vr, one could build 
a more compact representation; this demonstrates Occam's 
Razor for a useful purpose, information compression. This 
has facilitated study of active (algorithmic) versus passive 
transmission of information. For example, we allow the ra- 
tio of data to code to change for the same information as 
the packet traverses the network in a manner that optimizes 
both link capacity and node processor speed. 

Before continuing with a specific analysis, consider Fig- 



ure ^ which shows a topological view of components of a 
sample system under analysis. The nodes are active appli- 
cation components and the links are security relationships 
between the components; the links are quantified using Kol- 
mogorov Complexity-based vulnerability analysis. START 
is a state that is outside the system that represents the state 
of the system before it has been penetrated by an attacker. 



3.1. Complexity Surface: 
plexity Map 



The Kolmogorov Com- 



The General Electric Corporate Research and Develop- 
ment active network test bed implements complexity probes 
as part of the active execution environment. The choice was 
made to embed the complexity probe in the execution en- 
vironment rather than as an active application because it is 
necessary to examine the content of active packets before 
they reach the execution environment. In the Mathematica 
simulation, each component of the active application con- 
tains probe-input points through which bit level input and 
output is collected. A complexity estimator based upon the 
simple inverse compression ratio from Equation |l is used to 
estimate complexity in the density metric. Figure 2l| graphs 
results from density estimates taken of accumulated input 
and output of three separate components of the active net- 
work application. The graph shows the complexity of bit- 
level input and output strings concatenated together. That 
is, every input sequence is concatenated with an output se- 
quence and the density of the sequence is recorded at the 
bit-level. The input/output concatenation is generated ei- 
ther for individual components of the system of for a com- 
position of components. If there is low complexity in the 



Passive 



DP i--^ 



0' 



= Rollback 




Active 



D=HJD, 
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input/output observation pairs, then it is likely to be easy 
for an attacker to understand the system, as in Definition 1 . 
The X-axis is the number of input and output observations 
concatenated to form a single string of bits. From Figure ^ 
it would appear that Component E is most vulnerable due to 
its consistently low complexity while Component B appears 
to be the least vulnerable due to its larger complexity. These 
results make intuitive sense because Component E simply 
forwards data without any form of protection while Com- 
ponent B adds noise to the data. This vulnerability method 
does not take into account whether a component reduces or 
increases complexity; in other words whether the change 
was endothermic or exothermic complexity. These results 
demonstrate how vulnerabilities are systematically discov- 
ered using complexity; vulnerabilities can be quantified to 
a value within the bounds of the complexity measure error. 

In order to develop the Kolmogorov Complexity Map 
(K-Map), consider the topology in more detail. Figure ^ 
shows the resulting densities inserted into a Mathematica 
graph object. The graph object allows graph theory re- 
lated analyses to be applied. The directed graph in Figure 
p4| shows the relationship among the vulnerabilities. The 
START state, located in the center of the topology, repre- 
sents a location outside the system. In Figure E5^ a matrix 



is generated that shows the cost, in terms of complexity, of 
traveling from any node to any other node in the K-Map. 

In Figure ^ the function CoordVul computes a maxi- 
mum flow through the K-Map graph using the node posi- 
tions as shown in Figure ||. Density {K{x)/l{x)) from 
Definition 1, acts as a resistance, while its inverse acts as 
conductance, supporting insecurity flows as illustrated in 
Figure ^ The resulting flow matrix in Figure ^ shows 
the maximum flow through each link. Figure ^ shows the 
complexity surface of the resulting flows. Higher areas cor- 
respond to less vulnerable states, while lower areas corre- 
spond to more vulnerable states. Note that in the follow- 
ing contour maps, areas of infinite height are simply shown 
without a surface. By comparing Figure |4| and Figure |9[ 
it is apparent that the START state, the infinite mountain in 
the center of the topology, is invulnerable, which makes in- 
tuitive sense. State E is the weakest individual component 
and lowest area on the right side. Note that while State C 
cannot be directly attacked from the START state, it can be 
attacked via states B and E, located in the upper and lower 
right side of the figure respectively, have a relatively inter- 
mediate level of vulnerability. 

In the insecurity flow contour shown in Figure |o[ the 
density from Definition 1 is resistance and all possible flows 
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Figure 17. Estimated Complexity and Error within AVNIVIP. 



from and to every node are summed to obtain an insecu- 
rity level. While Node C is assigned infinite complexity as 
shown in Figure it actually is the most insecure compo- 
nent given that flows exist from Nodes B and E. 

4. Summary 

A Kolmogorov Complexity estimate was used within the 
Active Virtual Network Management Prediction framework 
in order to characterize and improve system performance. 
The application in this paper focused on an active network 
in which information, algorithmic and static, was transmit- 
ted to support prediction for active network management. 
However, the results are ubiquitously applicable to algorith- 
mic transmission of information in general. Kolmogorov 
Complexity was experimentally validated as a theory de- 
scribing the relationship between algorithmic compression, 
complexity, and prediction accuracy within an active net- 
work. Next the relationship between complexity and vul- 
nerability analysis was proposed. Finally, this work sets the 
stage for research into self-composing solutions based upon 
Kolmogorov Complexity which will be the focus of the next 
phase of this project. 
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Figure 12. Active Networks and Legacy Net- 
works as Viewed by AVNIVIP. 
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Figure 21. Component Complexity for Components B, C, and E. 
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Figure 15. Prediction Hypothesis (i/e) Com- 
pared with Actual Load in AVNMP Test. 
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Figure 16. Prediction Error and Complexity 
Estimate over a Range of AVNMP Hypothe- 
ses for Load Prediction. 



res = HnetSimE {( {jfl / #2 s) , (22., 7.)), 

{{#1 s], {RaH[{{#l/#2 s), (22. , 7. ))]])], 
({1, 2, 3, 4), (4, 3, 2, 1)), {100, 100, 1000, 10000)]; 



Figure 19. Algorithmic View of Active Packets. 




Figure 24. System under Analysis: Components and Topology. 
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Figure 22. Mean Component Complexities for 
Components B, C, and E. 



gnp = Graph [KMap , Range [lisngth [KMap] ] ] 

Graph[{(co, 1.17593, co, 1. 0975}, {co, <a, 1.1074, 
{CO, CO, 03, CO}, {CO, 00, 1.1074, oo} } , {1, 2, 3, 1}] 

Figure 23. Kolmogorov Complexity Map (K- 
Map) Matrix. 
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Figure 25. Minimum Complexity Paths Matrix. 
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Figure 28. Grid-Based Representation of Information Assurance. 



CoordVui y_] : = Module [ {s} , 

Length[gI2]l] 
Return [ ^ HetworkFLow [g, s, 

xy2node[g, x, y] [[2]1]] 

] 

Figure 26. Insecurity Flow Graph. 

MatrixForm [ Table [CoordVul[gnp, x, y] , 
{X, -1. , 1. , .3} , {y, -1. , 1. , .3}] ] 

3.65124 3.651Z4 3.65124 3.65124 3.65124 3.65124 3.65124 

3.65124 3.65124 3.65124 3, 65124 3.65124 3.65124 3.65124 

1.D4669 1. D4669 3.65124 3.65124 3.65124 3.65124 0.896949 

1.04669 1. D4669 0.B96949 0.096949 

1.04669 1. D4669 1. 04659 0.096949 0.896949 

1.04669 1.04669 1.046S9 1,04669 0.896949 0.896949 0.896949 
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Figure 27. Insecurity Flow Results. 




Figure 30. Insecurity Flow Contour of System in Figure 
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